AZUREAzure Policy

Azure policy questions and answers

Skillie
Skillie
  1. What is the difference between Azure Policy and Azure RBAC?

Azure Policy and Azure Role-Based Access Control (RBAC) serve different purposes in Azure governance.

Azure Policy is designed to enforce organizational standards and rules. It ensures that resources meet certain requirements, such as being deployed only in approved regions or having specific tags.

On the other hand, Azure RBAC is used to manage permissions on resources deployed on Azure. By defining who can perform specific actions, like read, write, or delete, on Azure resources.

For instance, Azure RBAC can allow a user to manage virtual machines but prevent them from accessing networking components. While Azure Policy focuses on what is allowed to be deployed and how it is configured, Azure RBAC controls who can perform actions on those resources.

Both work together to enforce security and compliance in the cloud environment.

2. Can you explain the term “scope” in Azure Policy?

Scope in Azure Policy defines where the policy applies. One policy is applied to a scope, It is inherited by all resources within that scope. This can be:

  • Management Group
  • Subscription
  • Resource Group
  • Individual Resource

3. What is Policy Remediation in Azure?

Policy Remediation refers to correcting existing non-compliant resources after a policy is applied. Whenever a new policy comes into power, it affects upcoming resources, not existing ones. This can report considerable non-compliances in the future. Remediation is used to fix these non-compliances. This can be done with:

  • Deploy If Not Exists or modify effects within the newly framed policy.
  • A remediation task must be created to apply changes retroactively.

4. What is the difference between policy definition and initiatives?

Azure policy definition is a single policy rule defined in JSON. Whereas an initiative is a collection of multiple policies coming together as a group, applied to a certain scope.

Initiatives are a good way to enforce multiple policy definitions collectively.

For example, if you are a customer who recently transformed/migrated/created your IT resources on Azure, you need to enforce standards of finance, security, and operational efficiency on your resources.

You can create dedicated initiatives for each category with related policy definitions and apply them to a scope.

5. How can you exclude resources from a policy assignment?

During policy assignment, you can specify an exclusion scope:

  • Exclude a specific resource group or resource, or
  • Use the notScopes parameter.

6. How do you test a policy before assigning it to production?

Always remember that sudden reporting of non-compliances can be overwhelming for non-compliant teams. So, whenever a new policy is scheduled to come into effect, you can take the following steps.

  • Assign the policy in “Audit” mode to log violations without enforcement. Best practice can be informing all the teams via e-mails, support channels about the new policy. Put it in audit mode for some time, and then change the action accordingly.
  • Apply to a test subscription/resource group to ensure that the policy works as expected.
  • Use the Azure Policy compliance dashboard to evaluate the impact.

7. What is the concept of “Policy Exemptions” in Azure?

Policy Exemption allows you to formally exclude specific resources from policy compliance tracking formally. This can be done in situations where, for business continuity reasons, you need to exempt certain resources. For example, if a certain financial policy restricts you from creating VMs of a certain size, you need a larger size for an application that would run on a VM. You can request an exemption from the team responsible. You can:

  • Add justification
  • Set a time-bound exemption Useful for exceptions and phased rollouts.

8. What is the role of Azure Policy in managing resource tagging standards?

Azure Policy can do many things, such as

  • Audit missing tags
  • Enforce specific tag values
  • Automatically add or modify tags using the modify or deployIfNotExists effect
  • Help maintain consistent tagging for cost, security, or operational needs.

9. You want to ensure that all new virtual machines are deployed in specific regions and use specific sizes. How would you achieve this via Azure policies?

  • Use a policy with a “Deny” effect
  • Restrict:
    • location to allowed regions
    • properties.hardwareProfile.vmSize to allowed sizes
  • Assign the policy to the desired scope.

10. What is the difference between “Audit” and “Deny” policy effects?

Audit and deny are two policy effects and both have different purposes.

EffectDescription
AuditLogs the non-compliant action but does not block it
DenyBlocks the deployment of non-compliant resources

11. What is the ‘deployIfNotExists’ policy effect?

deployIfNotExists does multiple things. Any policy with this action does the action as per the policy in which it is defined.

  • Checks if a related resource exists
  • If not found, it deploys it via a linked ARM template

12. What are policy parameters in Azure Policy?

Policy Parameters make policies reusable and flexible by allowing input values during assignment.

Example:

“parameters”: {

  “allowedLocations”: {

    “type”: “Array”,

    “defaultValue”: [“eastus”, “westeurope”]

  }

}

Later on, we can refer to these values in the policy conditions further.

13. How can Azure Policy be integrated with CI/CD pipelines for continuous compliance?

Azure Policy can be integrated into CI/CD pipelines to enforce continuous compliance by validating infrastructure as code (IaC) deployments before they reach production. This is typically done by adding policy checks as a step in the deployment pipeline.

For example, in Azure DevOps or GitHub Actions, you can use tasks or actions that call Azure Policy to evaluate ARM templates, Bicep files, or Terraform plans before resources are deployed. If a deployment violates a policy (like creating a resource in an unauthorized region or without encryption), the pipeline can fail to build or block the release.

This integration is achieved through:

  • Azure Policy REST APIs or Az CLI commands to trigger policy evaluations
  • Built-in Azure DevOps extensions (like Azure Policy Check Gate)
  • Custom scripts that validate deployments against assigned policies
  • Policy-as-code approaches, where policy definitions are stored and versioned in Git alongside your infrastructure code

This setup helps you shift compliance left, meaning you catch policy violations early in the development process rather than after deployment.

14. You need to prevent the deployment of unmanaged disks in your environment. How would you achieve this using Azure Policy?

  • Use a built-in policy: “Audit VMs that do not use managed disks,” or create a custom deny policy
  • Effect: Deny
  • Check if:

“field”: “Microsoft.Compute/disks/createOption”,

“equals”: “Attach”

15. How do Azure policies help you to improve your overall security posture?

Azure Policies can help you to implement standards to :

  • Enforce security baselines (e.g., enable encryption, enforce firewall rules)
  • Block insecure configurations (e.g., open ports, public IPs)
  • Ensure resource consistency and compliance.
  • Help with regulatory standards (e.g., ISO, NIST, CIS)

You Might Also Like

Microsoft Azure

Azure Resources and Resource Groups

Azure Resource Manager

Azure subscription and its types

Azure Resource Hierarchy

Categories

Share this Article
Previous Article Create StorageAccounts Using PowerShell
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Lost your password?